Nortel ERS 5520 PwR Switch

Update: February 7, 2009It was time to update this article with some additional information and settings that I’m now using in all my switch deployments. The big change is the updated ADAC MAC address table. Please also note the VLACP time-out scale change and I’ve updated the year field for the Daylight Saving Time change.

Update: August 13, 2008 This was one of the first articles I wrote back in October 2007 and it is by far the most popular article out of all 110 articles that I currently have published. With that said I decided to come back and spruce up this post with some additional “tweaks” that I’ve added over the past 10 months. I’m also going to attack a link to a text file so folks can just download the file of commands, tweak the specific individual settings such as IP address and VLAN information, and then cut and paste into the CLI interface of the Nortel Ethernet Routing Switch 5520. It will hopefully save folks from having to cut and paste each section.

Note: just a quick warning about cutting and pasting into the CLI interface, I’ve often found that the buffer will overflow if I try to paste an entire configuration at once. I usually need to break it into at least two or three sections and cut and paste those section one at a time.

In this post I’ll try to outline how you can configure the Nortel Ethernet Routing Switch 5520 in a VoIP environment using Nortel i2002/i2004 Internet Telephones (this procedure will also work the same with the i2007/1120E/1140E phones).

You’ll obviously need a ERS 5520 switch and you’ll need SW 5.0.6.22 or later and FW 5.0.0.3 or later (there are known issues with earlier software versions that create inconsistent results using LLDP with the i2002/i2004 phones). I would strongly advise that you start with a default configuration. From the CLI issue the following commands to reset the switch to factory defaults;

5520-48T-PWR> enable
5520-48T-PWR# boot default

The switch should reboot with a default configuration. Let’s proceed with the configuration;

Let’s setup ADAC (Automatic Detection and Automatic Configuration) for our i2002/i2004 phones. We’ll using VLAN 50 as our voice VLAN and we’ll use port 48 as our uplink (the switch will add 47 automatically because of the MLT configuration). There is a new command to clear the ADAC MAC address table that may be missing from earlier versions, “no adac mac-range-table”. I’ve also updated the list of entries that I use.

The option in RED above was added after an issue was discovered when trying to upgrade the firmware on the IP phones. The filter-unregistered-frames is enabled by default and should be disabled to avoid and issues with upgrading the firmware on the IP phones. We are attempting to investigate further with Nortel and our voice vendor Shared Technologies.

Let’s disable the two remaining ports that share the GBIC interfaces incase we need those in the future;

Let’s setup a QoS interface group to trust all traffic that will ingress on the fiber uplinks. By default the ERS 5520 switch will strip all QoS tags on all ports. Thankfully ADAC will take care of the QoS settings for all VoIP traffic.

1) What can happen if some tagged packets go to the phone’s PVID? (referring tho the untag pvid command)

2) Do you always need to enable both MLT & VLACP? I (mis)understood that it was an option to use one protocol or the other..

3) I wonder why you did not include any spanning tree commands in this article. Are they in by default somehow on the ERS?

4)In the case of a single link trunk from one switch to another, is it true that you would need to disable stp on the trunk port? What protection could be the best choice then, apart from rate limiting?

1) The end device (laptop or desktop) will not understand the 802.1q frame and will just drop the frames leaving any device you plug into the PC port on the phone unusable. In essence this command just tells the switch to leave the 802.1q headers on the voice VLAN traffic so the phone can identify those frames but strip the 802.1q headers for the PC traffic so the PC won’t freak out – it’s not expecting an 802.1q frame.

2) These are two very different protocols. MLT allows you to trunk two physical links into a single link at Layer 2 for additional bandwidth and additional redundancy should one link fail. VLACP is a method used to detect a communication problem over a link and mark the port as down so you don’t end up switch/bridging packets across a dead uplink – an uplink that has link but there’s nobody home on the far end. I use VLACP where I have Ethernet Switch 470s because the GBICs don’t support autonegotiation. Without autonegotiation there’s no ability to detect a far end failure – say a single fiber strand breaks, one switch will still have link while the other won’t have link. VLACP would detect that loss of connectivity and mark the port as down keeping your network from switching/bridging/routing traffic down a dead link where the packets would ultimately be lost forever.

3) I did include Spanning Tree commands. I recommend that everything use “fast start” because of the auto MDI/MDI-X feature where an end-user or confused technician could easily put a loop into your network by mistakenly cabling two ports together. Search for “spanning-tree” above, here’s the reference; 5520-48T-PWR (config-if)# spanning-tree learning fast Note: you should NOT run Spanning Tree on your MLT ports!

4) Spanning Tree as a system wide protocol. We use to run Spanning Tree across an ATM LAN where it sometimes took 90 seconds for Spanning Tree to converge. We employ a few layers of protection; the first is at the closet switch which I discussed in the answer above using “spanning-tree learning fast” on all edge ports, the second we use SLPP (Simple Loop Protection Protocol) on our ERS 8600 cores and lastly we use CP limiting on the ERS 8600 cores which will shutdown an uplink if too many broadcast or multicast frames start flooding the network from that specific uplink.

You mentioned do NOT run spanning tree on MLT ports. Is that means we should disable STP on MLT ports? I am planning to cofigure 4ports MLT on two 5510-48 switches. What is your suggestion. Thanks in advance.

Michael, one more question for you if you have time regarding ‘rate-limiting’

we have sometimes seen issues where a user will bring a linksys/home switch in and plug it into their drop (unauthorized). the linksys/netgear/etc switch does NOT from STP. we are now implementing STP BPDU-Filtering/Guard on our edge ports to prevent unauthorized switches connecting to the network, but this doesn’t help with un-managed switches (which would be the majority of what people would bring in from their home).

now, if they connect a cable from the linksys switch to itself again (creating a loop), the flood of broadcast packets will also egress out the single uplink into the production network.

rate-limiting (e.g. 10% setting), will suppress this flood of broad/multi-cast traffic to 10% of the link, which is great because it will save the network … but the problem is , how do we then know a loop has occurred?

does the switch send an SNMP-trap when this threshold is hit? that is the biggest concern. the network will be saved from a storm, but at the same time if i am not alerted or notified, then the loop continues to exist (suppressed).

The rate limiting feature is built into the ASCIC hardware so there’s no reliance on actual switch software – which is a good thing. While your basically correct, you’ll generally know soon enough that there’s a problem. While rate limiting will keep the majority of your switches reachable/manageable you still going to experience all sorts of MAC/FDB issues because of the loop. If you have a management system that is performing threshold monitoring that system will generally alert you to the surge in traffic. I’m currently using a combination of HP Open View and MRTG. In the majority of instances you’ll see SLPP kick-in and eventually CP-LIMIT will kick in at the core isolating the edge switch in question.

In a ultra secure environment you could configure MAC security (old school way) or you could go with a Network Access Control (NAC) solution which integrates with the latest Nortel switches.

With regard to your example… Spanning Tree enabled on the edge access ports will help save you 99% of the time in my experience.

just discovered your blog a few days ago and it’s nice to have discussion (just found the nortel community forums as well) :)))

that’s good to hear that the rate-limiting is done in ASIC; no sense in overwhelming the CPU with rate-limiting enabled no all ports… but i wish there was a way to admin_down the interface when those thresholds were reached on the edge switches (5520, 460)…i would much rather have the interface be disabled than the traffic limited until I found the issue/error.

i’m using Open View as well, so maybe i need to do some tweaking/etc but not sure where to start for this topic at hand…

many of our IDFs/switches in different campuses are not connected via SMLT. many are DMLT or single-uplink, depending on our availability of fiber backbone and 8600 interfaces. slowly trying to migrate these to SMLT, but it does take a lot of time for the campuses in different countries where i’m not on-site, physically…so SLPP wouldn’t help for those locations (uplinks are NOT SMLT).

i’ve noticed CP-Limit appears to be enabled by default for 8300 and 8600s. this is generally the case when there is a loop and an interface is auto-disabled. i have not configured these thresholds, so they must be at default values (enabled by default); i have also noticed (and remember working with Nortel on a case about this years ago), that there is a separate per-interface CP-Limit. i’m trying to recall, but I remember (this was back in 3.5.x.x days), that you eat up resources by enabling the CP-Limit on a per-interface basis, and as a result could only do so many interfaces. i’ll have to re-investigate this, but it was like there was two seperate types of rate-limiters on the 8600.

Also, I presume the same rules apply for SMLT’s? We currently have two edge switches configured with MLT’s that connect to the core and form a SMLT. There seem to have been a few inconsistencies when they were initially configured as one has STP disabled on the trunk and the other enabled.

I’m not sure who you’ve been talking to at Nortel but you certainly don’t need STP enabled on a trunk just because you have multiple VLANs (802.1q) traversing that link. If you had multiple trunks between two switches without using a MLT/DMLT/SMLT configuration you would certainly need STP enabled between those switches in order to prevent the Layer 2 loops that would be present in such a configuration.

It’s my recommendation NOT to running STP between your edge and core switches. I definitely recommend you run it on your edge switches but not on the ports that uplink to your core (or distribution) network. You can run it if you chose to I just don’t find it very useful to-do so and there can be implementation differences between some vendors (example, Cisco floods BPDUs across all ports in an etherchannel configuration with Nortel only floods BPDUs across the lowest interface in a MultiLink trunk configuration).

In an SMLT configuration you CAN NOT run STP at all between your edge and core (or distribution) switches because it defeats the whole purpose of building a network architecture that is active/active as opposed to active/passive. In an SMLT design both uplinks from the edge are actively passing and receiving traffic, unlike when you use STP/RSTP/MSTP traffic can only traverse one of the uplinks while STP blocks the other uplink.

That has cleared up a few things! – I’m still getting to know the network as I have only recently joined the company!

As you mentioned STP is disabled on the SMLT configs on our two core switches. We have around 20 edge switches which after further investigation 7 have STP enabled on the MLT trunks. We attempted to disable STP on one of the edge MTL trunks (connected to each core as SMLT) but had to quickly change this back as once we re-enabled to trunk we lost connectivity from the edge switch.

I will be getting back in touch with Nortel with your comments and see where we go from there.

It can be ugly to read the logs without the proper date/time and timezone set. I believe the switches count up from the time they were started/booted.

Depending on the version of software on the switch you should be able to issue a “show log sort-reverse” from the CLI interface and it will show you the log from the bottom up (latest events first). You’ll need to then do the math to figure out how to match up the timestamp in in the logs to the real date/time.

If you have access and configure NTP the timestamps in the log will be automatically updated so you can read them properly. You can have a look at the post Network Time Protocol (NTP) for information on how to configure NTP.

I work for a company which has all 5520’s at the edge and an 8600 at the core. We randomly see the issue of a loop back with will bring that edge device down and is often very difficult to locate the looped device.

We are already using Rate limiting on the trunks to protect the network, as well as Spanning Tree, however as mentioned earlier in the posts we eventually CP-Limit kicks in and the 8600 will block the port. This takes our edge offline and we need to troubleshoot the issue by placing the switch back online.

Also – The syslog does not seem to every indicate where the problem originated from.

Does anyone have any advise that could help us identify and/or prevent the broadcast storm which occurs.

I believe the basic answers to your questions can be found throughout the different comments.

I generally follow a “defense in layers” approach… utilizing the different features such as STP, SLPP, Rate Limiting, BPDU Guard, CP-Limit and Ext CP-Limit to provide an overall defense against any situation where a high rate of broadcast/multicast frames might endanger the general operation of the network.

In short Spanning Tree running on the edge switch (edge ports only please, no STP on the uplinks) should cure 99% of any loop induced problems by preventing any the loop from either within that specific switch/stack/closet or downstream of that switch/stack/closet (someone plugging in an unmanaged hub/switch). SLPP helps to protect against and MLT configuration issue on the edge switch by disabling one of the MLT downlinks. I use rate limiting on all ports not just trunk uplinks. This prevents any single port from injecting too many multicast/broadcast frames into the network although you need to test this feature carefully if you have multicast applications. Ultimately CP-Limit protects the core network from an single switch/stack/closet flooding the CPUs with too many broadcast/multicast frames.

In my experience Spanning Tree (Fast Learning) has resolved 99.9% of issues in my environment (I have over 24,000 switch ports in my environment). In a few instances I’m happy to sacrifice a switch/stack/closet using CP-Limit to protect the rest of the network. The log on the ERS 5500 series switches will not show you “where the problem is”, what would be the need for us network engineers? If you are using Spanning Tree you can look at the switch port interfaces to see which port is in a blocking mode as opposed to forwarding mode.

Maybe you also can answer to my question: is there any way to configure the LLDP on the switch so that it will send two Network Policy TLVs – one for the Voice Application and one the Voice Signaling Application? This is needed to provide different dscp values to IP phones – one will be used by the phone for control traffic (between the IP phone and the Signaling Server) and the other for media traffic (between the Ip phones)

I believe this is already the case with Nortel’s IP phones and their integration with ADAC/LLDP but I can’t be 100% sure. You’d need to run a packet capture against the data stream to see if the control traffic is tagged differently than the actual RTP stream. The Nortel IP phones themselves have configuration options for Control Priority Bits, Media Priority Bits, Control DSCP and Media DSCP. Are they both being set to the same Expedite Forward (EF) when using ADAC/LLDP with an Nortel IP phone? I’m not really sure although I could probably get a quick packet trace. Is there a way to set different 802.1p bits and DSCP entries? I don’t really know the answer to be truthful.

I’ll look at a few packet traces to see if the packets are marked differently.

The reason why I’m asking you is that I work at the company which is Nortel partner and we develop FirmWare for the Nortel IP phones. You are correct that IP phones themselves have configuration options and in the current FW releases when some DSCP and 802.1p Priority is sent by the switch in the Network Policy TLV (for Voice Application type), the IP phone applies these values to both – Control and Media traffic.

Currently official IP phones FW supports only Network Policy TLV for Voice application type. So I modified IP phones FW so that it sends and accepts two Networks Policy TLVs (for voice and voice signaling applications), now I need to configure the switch somehow to send to the phones two Network Policy TLVs as well.

Looks like nobody knows the answer, most likely it is not possible in current Baystack software :)

Hi mike, I m having a technical problem. We are using Nortel switches(8600).We are maiantaing MRTG for inter buliding links.When we create an access point to secure the telnet,MRTG will stops functioning.But i wil be able to telenet to system and i am also able to ping, but MRTG is not fuctioning.We need a solution where we wil be able to use MRTG when we use access policy to secure telnet.Wil u plz help me

While SLPP is applicable it doesn’t get configured on the edge ERS5520 itself but rather on the core switch.

If you are running any of the ERS 5500 series switches in a Layer 3 configuration with the Advanced Routing License then those switches themselves can act as core switches as opposed to just being a Layer 2 edge switch.

Hi Michael, I hope all is well. I have a quick design idea/question for you. I read from your posts, also from Nortel docs that STP on MLT links should be a no-no. I have a bit different scenario. Imagine if you will 3 ‘Edge Closets’ with 3 stacked 5520’s in each closet. Each Edge Closet uses MLT to connect two fiber connections to the core respectfully. So all is fine and dandy, I can have STP disabled and we are good. But I have a small enough campus I was able to run Ethernet cable to the edge closets between them. So again, I have 2 fiber connections using a mlt link for each edge closet connecting to the core. But edge closet 1 and 2 have an Ethernet cable run to edge closet 3. The reason is if (knock on wood) someone cut the fiber my mlt is worth nothing and both links are down, thus my edge closet. With STP if the fiber is cut in edge closet 1 the Ethernet cable will provide a link to the core (the Ethernet port is blocking via stp, but when the fiber mlt link is disabled the Ethernet port is brought online to edge closet 3), not the best for ‘best practice’ but will be enough for them to be online for a period of time until the primary link is repaired. Again I use STP for this config,

Now if I would disable stp on the mlt ports, I would imagine it would create a loop and down the network goes…. anywho, i did my best to explain this…. hope it makes sense. let me know your thoughts when you have time.

You can most certainly run Spanning Tree in an MLT configuration. You cannot run Spanning Tree in an SMLT configuration. I’ve made the personal decision to avoid using Spanning Tree where ever possible and instead rely on Layer 3 routing and Nortel’s proprietary IST/SMLT technology.

With respect to your specific configuration you can certainly enable and run STP between your closets and your core switch (you didn’t say what switch you had in the core). You only need to be mindful of how Nortel’s proprietary Spanning Tree works, unless you configure all your switches for RSTP or MSTP (you’ll need to make sure that your running a software version that supports RSTP and/or MSTP on both your core and edge switches). In short you need to align the ports in your MLT from the lowest ifNum to the highest ifNum. Example; port 1/48 on the 5520 connects to port 1/8 on the core while port 2/48 connects to port 2/8 on the core. If you were to cross those ports using Nortel’s proprietary Spanning Tree you would probably experience issues since Nortel only broadcasts BPDUs on one port (the lowest ifNum in the MLT) while other vendors like Cisco broadcast BPDUs on all ports in the EtherChannel (MLT).

You would definitely need to-do your homework though and make sure that you set the root bridge priority on your core switch properly. You might also need to tweak the STP path costs to make sure that the interconnects between your edge switches are the ports that go into blocking and not your MLT uplinks.

I’ve avoided such configuration because I believe it leads to overly complex networks that often tend to fail on their own or through some unforeseen circumstances. As an alternative you could also have ports configured and cables ready (just unplugged) such that if you had an actual disaster you could quickly wire up the ports to an alternate edge switch. It would require manually connecting the patch cables but it would restore you to service much faster than waiting for the cabling vendor to re-splice your fiber pairs.

I have been reading your site for a while now and was wondering if you had any guidance on the use of DHCP-Relay to enable multiple subnets across multiple VLANs on ERS 5520.

Basically I have a situation where I need to do the following: I have 20 VLAN’s each VLAN needs to have a different subnet (and clients issued DHCP), the way it was explained to me was this, I have simplified this config to one switch acting as the core and one as the edge (and I still get the same issue):

1. On the core switch, I put the dhcp server on port 1, member of all the vlans, pvid=1 (default vlan) and untag pvid only (ip address of switch = 172.16.119.25)

2. I have made the sfp port (48) as the trunk and member of all vlans

3. On the edge switch I set all (a part from the trunk port) as pvid=vlan id (say 106) and unTagPvidOnly.

4. I give vlan106 (not vlan 1) on the edge and ip address on the range it given 172.16.126.5 /24

5. Set a dhcp-relay from 172.16.126.5 to our dhcp server (172.16.119.201)

I have run a wireshark trace and I can see the address being offered, even to the point that the dhcp server thinks the address has been allocated – alas it never makes it to the client. I have seen on other forums that this is common and the exact issue with relays and redhat.

The switches are ERS 5520’s running, Software version = v6.1.2.028 and diag=v60009

I would urge you to use the discussion forums in the future… you’ll find that there are quite a few people that are now following the forums and have a lot of advice and help to offer.

With all that said you’ve taken the time to describe your situation in detail so I’ll respond here.

You only need to enable DHCP relay on your router (Layer 3 switch) for that VLAN, that would be your core switch. So for your edge switches (Layer 2) there is nothing you need to on those switches. All your configuration is going to be on your Layer 3 switch/router.

The DHCP server should be connected to the network just like any other server. The switch port (1) should be configured as an access (unTagAll) port. The port should be a member of the VLAN that matches the IP network assigned to the DHCP server.

1) If VLAN 1 was IP network 172.16.119.0/24 (core switch might be 172.16.119.1/24) then you would assign port 1 to VLAN 1.

2) the uplinks/downlinks all need to be configured as trunks, you need to extend the necessary VLANs to all the switches that will be connecting devices to that VLAN.

3) you could set the ports as unTagAll but unTagPvidOnly will also work. The PVID should be set to whatever VLAN the port is a member of.

4) for VLAN 106, you need to create the VLAN on your core switch, create an IP interface (this will be the default gateway for the PCs), enable DHCP/BOOTP and configure a DHCP relay address of 172.16.119.201 (your DHCP server). your edge switch will just be a Layer 2 device and you will bridge the frames to the core, not route them to the core. Make VLAN 106 a member of all downlinks from the core, create VLAN 106 on your edge switches, and add the switch ports in question to the VLAN making sure that the PVID is also set properly.

5) you are basically correct but I would advise that you use .1 for your IP interfaces if possible, makes thing much easier to follow (at least for me).

I suspect you have a configuration issue somewhere… DHCP relay isn’t that hard anymore.

In short the DHCP relay agent (the core switch running the .1 interface – the default gateway for the DHCP clients) will see the DHCP discover broadcast from the client. The broadcast will be forwarded from the edge switch to the core, the core will see the broadcast and forward the DHCP request via a unicast packet to the DHCP server. The DHCP server will respond by sending a unicast packet back to the router (.1 interface) and the router will broadcast the response as a broadcast to all ports in the VLAN which eventually floods back down to the edge (Layer 2) switch and all ports in the VLAN.

You need to be precise with your VLAN assignments, you should only assign IP interfaces to the core switch, leave the edge switches are Layer 2 switches only.

We have two set of stacked switches in two Racks. And would like to configure MLT/LACP/Etherchannels between them.

So four ports of MLT between Sw1 – Sw6 And four ports of MLT between Sw5 – Sw10 (for redundancy)

Stack1-Rack1 Stack2-Rack2 Cisco 3750 Nortel 5510-48t

Sw1 Sw6 Sw2 Sw7 Sw3 Sw8 Sw4 Sw9 Sw5 Sw10

Question:

1. Is this scenario possible/recommended. 2. Are both sets will remain active at the same time? How does the failover/failback will take place? 3. Does one set need to be Active /Passive or Master/slave? 4. STP needs to be disabled on all 16 ports?

Michael, I’m going to deploy an ERS-5520 to one of my remote locations. I currently have 2 5520’s at my office and management vlan of 200. My question is in regards to management vlan. What would be the best practice to create management vlan in remote location? Can I somehow connect my current one with the remote mgmt vlan? I would be very thank full if you could share your input on this matter. Thanks Wesley

At my remote sites I usually don’t worry about a management VLAN and just lump the switches/routers in the local VLAN. I reserve IP addresses .1 – .24 for switches/routers/etc, .25 – .49 for servers, .50 – .254 for edge devices (PCs, printers, etc).

Thanks for the info. If you don’t mind I have another blond moment. I’m using ADAC – LLDP Detection for my Voice VLAN and QOS. 5520 will be routing to my corporate network over MPLS, provisioned for us by provider. In the configuration like this. Do I tell ADAC that my UPLINK port is the one connected to my providers switch/router or I don’t need to do that at all? Will I have to tag the port on 5520?

That’s going to create some issues and will probably prevent you from utilizing ADAC/LLDP-MED. Why? The feature is only intended to be used with switches configured as Layer 2 devices with an upstream switch performing the actual routing between the VLANs.

I ran into this issue almost a year ago working on some new designs and I didn’t see any easy way around the problem other than deploy a second ERS 5520/5530 as the edge/WAN router and then keep the first ERS 5520 configured as a Layer2 switch with ADAC/LLDP-MED.

After doing some research I found an example in the Avaya IP Telephony Deployment TCG NN48500-591 Ver 1.3 Link here “http://support.nortel.com/go/main.jsp?cscat=DOCDETAIL&id=984451&poid=14761”

“Auto Configuration Using Ethernet Routing Switch 5520-PWR and Ethernet Routing Switch 4526-GTX-PWR and DHCP for IP Phones” In the mentioned example the ERS-5520 is configured as a layer 3 switch with DHCP provisioning IP Phones. QoS configured using traffic profiles.

Investigating further I found another TCG. Avaya IP Telephony Deployment TCG NN48500-517 Ver 7.0 from October 2010. Link here “http://support.nortel.com/go/main.jsp?cscat=DOCDETAIL&id=965097&poid=14761”

In this TCG under Auto Configuration with a Stackable Ethernet Routing Switch using DHCP and LLDP-MED. I found if the switch is updated with the latest image and diag software you can configure LLDP-MED with or without ADAC, page 21. Although the article is used with layer 2 switches. I assume, I can use LLDP-MED without ADAC to detect IP Phones. Use MED policy values to assign DSCP, priority and tagging to Voice VLAN. Remark the Data VLAN with a QoS level of Standard using traffic profile. Please correct me if I do not understand something here.

Here is something else I’m not so sure about. In the first example they have 3 VLAN’s (data, voice and core). The core is a separate VLAN 260, connecting 5520 to some kind of WAN router and being the default gateway for the network. There are not too many details about that VLAN configuration. My concern is. When voice packets leave 5520 and travel through core VLAN260 to my corporate network, over the WAN.What will happen to those voice packets and the DSCP values as well as priority assigned to them? Do I need to do something on the core VLAN260 to preserve assigned values? Finally tell my WAN provider to set their end to be aware of voice traffic and give them higher priority too?

With regard to QoS the switch with not modify any packets as they egress the a switch port unless a traffic filter has been configured to-do so. The switch will automatically honor any QoS (Diffserv/802.1p) tagged packets that it forwards between ports (across the backplane). The important part to understand is how the switch deals with the packets as they ingress the switch, that’s where you can rely on ADAC to take care of the QoS or you can setup specific traffic filters that will apply a set QoS level based on VLAN ID or some other criteria.

This is why we setup trunks at “Trusted” but this trusted approach only applies to packets on ingress (into the switch) and has no bearing on egress out of the switch). So any packets that arrive on a “Trusted” port will be bridged through the switch unmodified and the packet will egress the switch with the same Diffserv/802.1p tag that it ingressed with.

Hopefully that makes sense… the issue with ADAC is that you may have problems creating a Layer 3 IP interface on a VLAN that is automatically created by the ADAC process. With ADAC you don’t create the voice VLAN yourself, the ADAC configuration does that for you. I’m not 100% sure because I’ve never had to utilize an edge switch as a Layer 3 router when working with ADAC/LLDP-MED.

Hi Micchael A customer has recently taken receipt of two new Nortel 5530-24tfd switches for back-up purposes and is having difficulty copying the running config of the live switch onto the new switches. The older original switch is firmware version 4.2.0.12 Software version v4.2.0.002 and the new switches are firmware version v6.0.0.6 software version v6.1.0.006. I do not have any Nortel knowledge at all and only work on Cisco kit but can’t imagine that a change in firmware/softrware would cause such a reaction to loading a config that works on one switch onto another of the same vendor. Is there any difference in the new switch command set? Can you advise please on the method I should use to carry out this task? Is he possibly trying to load too much at once as it is a 1MB file? With Cisco hyperterminal I set a delay in the ASCII setup do slow the delivery down. Should they be doing the same thing- this was my first thought when asked to deal with the problem? Cheers etc pgatt62

You neglected to mention exactly what switches your customer has today… assuming they are in the ERS 5500 series the basic CLI interface should be the same. You’ll obviously find a lot of features in the 6.x software that are missing in the 4.x software. With a Nortel/Avaya switch there is a trick to restoring a configuration… you need to factory reset the destination switch first before you try and load either an ASCII or BINARY configuration file. You can also, as you suggested, cut and paste various sections of the configuration file at a time. Again as you suggested you don’t want to cut and paste too much at one time as you’ll fill up and overwrite the buffer and you might miss some commands.

I would suggest you review the ASCII configuration and then manually cut and paste the important sections. Assuming your customer doesn’t have a complicated configuration this should be fairly easy. It might also just be easier to document the configuration and then just re-configure the new switch manually.

If you spend a short amount of time with the CLI you’ll find that it’s pretty logical although it does have some minor annoyances.

Hi Michael Following is another reply to my original question. Could you give me you thoughts if poss;

“To load a backed up config to a new switch, it has to be exactly the same hardware and software level. Any differences and the config will not load. The only way you could do it would be to upgrade the old switches to version 6 software and then copy the config. To do this i belive would require a stepped upgrade as i don’t think you would go from 4 to 6. Check the release notes to confirm upgrade path.”

If you are trying to use the binary configuration file then the statement above is applicable and correct. With that said you can use the ASCII configuration file and you can certainly cut-n-paste various sections of the configuration and port it to another similar switch. It’s not 100% fool proof but it certainly can be done.

Now even with the ASCII configuration the commands (and syntax) can change between software versions so some amount of tweaking might be necessary.

Thanks for all your help so far. I’m on a webex tomorrow to discuss a solution to this.How would you do it or recommend its done ? 1.Go for a block cut and paste with or without a factory reset command to start with? (“boot default”, then give it an ip address so I can access it over the network as I cant get physical access to it)….. or 2.Go for the hardware and software compatibility by possibly asking the client to add the switches into the stack and then let the master switch set them up to the same as it even if it means a downgrade?

Hi Michael Sorry for being a pest but could you clarify something for me. As you know I’m trying to work out a solution for a customer with newer software/firmware versions on 5530 switches that refuse to take the config of the older version switch. They suggested that we downgraded the newer switches to the older version it might work and how could we do this. Looking through your blog back catalogue I’ve found three different opinions, could you set me straight on this:

1. July 22 470 Stack Troubleshooting; “One very important note! You can only stack switches that are running the same version of software (boot code and agent code). I believe the “Base” light will blink amber if you try to stack two switches together that are not running the same software” 2.July 31 5500 Stack Troubleshooting; “You can add a switch to the stack and the base unit will automatically push the running firmware/software to the recently added switch. You may need to be running at least v4.2 software for this to work although I’ve been unable to confirm as of yet.” 3.August 10 Cascade Nortel Switches ” The newer Ethernet Routing Switch 4500/5500 series switches will try to automatically upgrade any switch that is added to the stack and isn’t running the appropriate software version.”

Could option 3 possibly mean convert other switches in stack to same version the base is running? If so will a version downgrade also be possible?

Sorry for the late reply… missed your previous message until the comment below was made.

The Ethernet Routing Switch 5000 series (v4.1 software and later) will automatically upgrade the software of switches in the stack that don’t already match. The Ethernet Switch 470 does not have this feature and will instead refuse to stack with switches that aren’t running the same version.

I think if you try and run through the conversion (ahead of time) you’ll get a lot of your questions answered.

Hi Michael, I have a Nortel 5520 model, and I need to configure 3 VLAN’s with its IP for each of those VLAN. I was looking for an article which explains this issue, but I didn’t see nothing about. Please can you tell me a link with some article who explains how can I do it? Or Anything like this?

Hi Mike, I am sorry to disturb you, but I have a question. Do you think it is possible to work LLDP-Med without enabling and configurating the Automatic Detection and Automatic Configuration ? I have heard today (by the mouth of a person I am moderately confident) it was possible to do this on the lastest software versions of ERS-45xxT-PWR series ? What do you think ? thank you. Best regards Damien

I’m not 100% sure myself so I’ll need to dig around and check. I believe I might have read that you can set the LLDP-MED parameters manually but you’d still need to configure the VLAN ports and QoS settings manually. You can change the ADAC detection method to LLDP (originally only support MAC address detection which required the MAC address ranges of all IP phones that might connect to the switch).

Let me dig around and I’ll see… are there any reasons to NOT deploy ADAC?

Indeed. It may be exist one reason to NOT deploy ADAC. A limitation induced by ADAC in one “exotic” case particulary. It is too late tonight and unfortunately I do not have time, but I promise that I’ll explain you my scenario tomorrow.

Hey Mike, Without ADAC. It perfectly works (v5.4.009 on ERS 45xxT-PWR) !!! And so that I resolved my problem. In fact I have multiple Voice VLAN in my LAN architecture and ADAC was limited to a single Voice VLAN. ;)

Hi Damien, If you don’t mind sharing inforormation. I have similar situation with my ERS 5520 and I was wondering how did you configure your switch to use LLDP-MED without ADAC so all the phones and QoS are working all together.

I have read everyones comments on this forum and have a question of my own. I am configuring LLDP on our Nortel 5520 with ver. 6.0 and I have the LLDP detection enabled. I am connecting Cisco 9971 phones to these switches. It seems to place the Vlan on the port when I attach a phone device, but will not place the phone on that operation vlan. Does anyone have experience in getting the LLDP detection to work with Cisco phones?

Thanks Micheal for the info. We have a very specific setup in some of smaller offices and I would like to use ADAC and LLDP to configure our phones. Some of the issue is I am not sure what the ADAC uplink port does? I know the other port look to that port for vlan information, but how do I know what port to use. Our small office setup is below.

We have a stack of 5520’s that handle everything in the office. They are the floor and Core switches. We have DHCP helper setup to pass DHPC to the different VLans. We also have 2 MPLS networks setup. One for Data and one for Video and Voice. They also failover for eachother, so if one goes down the other takes the load. My question is what would I choose as the uplink port in this setup? In our larger offices I am just setting the uplink as the MLT port on the floor switches that go back to our core.

If you had a core switch that connected multiple closets then you would need to define the uplink port on the closet switches. If you are just using a single 5520 (or single stack) you don’t need to worry about the ADAC uplink port and you can omit it from your configuration. Your MPLS network is most likely an IP routed connection so there’s really nothing to-do there. The IP traffic would simply flow over the remaining routes (MPLS path) in the network.

Thanks again. Not sure why I didn’t think of not providing an uplink port. For some reason I was sure you had to specify one. That was making me think I was only a large office setup. I tried that and it worked. Thanks and good info you are providing to everyone. It really helps and I know many really appreciate it.

thanks, Michael for the link. I was able to get the phones to work using ADAC and LLDP on the Nortel switches. I am now running into another issue. I will check the link for answers, but will post the question in case anyone knows.

While configuring ADAC on the Nortel switches you have to specify an uplink port. My issue is in our smaller offices we are using the Nortel switch as our floor/core switch. We also have 2MPLS networks for redundancy. I can only specify one of those ports as the uplink port. How does avaya/nortel handles ADAC fault tolerance for small setups?

I had a stack of switches ( 6 ) they were all at the same FW level, 6.1.2, the config was extracted just in case, then the base was updated to 5xxx_624010, after a few mins the stack was backup and running, however on switch 6 the the status light was flashing, and the stack up / down lights were off, but it was still working. The status light seems to indicate that there was or is a non-fatel system error, The stack was broken and the switch powered off, it was then added back to the stack, but the same problem was there. The unit was removed and another unit installed and added to the stack, the switch came up no problem and all is well.

The unit that seems to have the issue was checked out. I ran the upgrade of the firmware and diags again, the firmware seems to work but I get the following error with the diags

Len= 0xFFC20= 1047584. (@1A00000) ## Can’t Find 56xx Agent Magic #?

Also When looking at the event log, it has some information about not using the primary config and using the backup,

Thanks for the information, I followed the instruction in the PDF, but no errors were returned, I dont’t want to put into a live environment just in case, But if you or any other readers have any suggestions

Question, I have a simple flat network consisting of Baystack 5510s. I have three 48 port Baystacks stacked in the “core backbone”. On the other floors I have 48 and 24 port Baystacks that have separate Gb uplinks to the stacked “backbone” in the server room. Each has their own uplink. Occasionally, I will get flooding whre all switch lights are blinking very fast at the same time. Some person has plugged two ends of a cat6 cable into a little Linksys 8 port or something. Anyway, I have Spanning Tree enabled on all switches and are all set to STP Compatable mode. When some one messes up and plugs the two ends in it still brings down the network. What settings in the Spanning Tree am I missing? I did see that you suggest rate limiting as well. If, for example I have 7 Baystacks on the other floors with each uplink drop going to the base unit in the “core” on let’s say ports 41-47, how to I stop the flooding? I leave as STP Compatible on all ports except uplinks to the core stack? I enable rate limiting on all ports?

Its really grt to read your blog. I wish if you can give lil time to answer my query. We have 3 tier network, 2*ERS8600 as Core,2* ERS8300 as Distribution Switch and 4500 as Access. The query is related to making my network loopfree, where as we have STP (BPDU gaurd) on access ports, SLPP on SMLT ports and rate-limiting on uplinks. Now, bcoz STP is not there on MLT so root bride election process is within access stack, can u pls explain the root bridge election and designated root bridge election process in a stack ?? Also can we have feature like spanning tree loopguard feature or Spanning tree root guard feature ?

I really need your help. I am newbie on Nortel Switch. I need to show to my customer that my application has been running on my own network environment. The application cannot working on my customer network (Cisco). I have request to open some ports to be opened on their network. Until now my application cannot running on their environment. I am sure, they miss something (may be not all port I need have been opened.

I just want to show to my customer, that my application can running on my nortel switch. I have try to use my nortel switch (all port openes/default), and my application running well.

Can you help to show me how to configure my nortel switch, with implementing (like access list): default : closed all port, except some ports needed by application.

While I’m happy to help I’m not going to do the work for you… I would suggest you read up on the documentation. You might find that a firewall or edge router might be a better place to filter traffic than say an edge switch.

I have not found it in a release note yet, but in one of the latest software updates (at least v6.3.1.039) there is finaly a Summertime RECURRING configuration option, YAY! :) It goes a little something like this (for European DST):5520-48T-PWR (config)# clock summer-time recurring last Sunday March 02:00 last Sunday October 03:00 60

I use these commands as you suggest : 5520-48T-PWR (config)# interface fastEthernet ALL 5520-48T-PWR (config-if)# rate-limit both 10 but when I go to rate limiting configuration in the menu, Some ports are still having more than 10 % values in the Last 5 minutes, Last Hour and Last 24 hours columns. Is it neccessary to power off the switch to take effect ? Are the SFP ports rate-limit set by this command or is there another one ? Regards,

The output is an average value computed over time so if you just made the change you’ll need to wait for the statistics to catch up with your change. The important piece is just making sure that the limit change is in effect, you can see in the output above that I have rate-limiting enabled for ports 1-3 but disabled for ports 4 and 5.

ifInDiscards – The number of inbound packets which were chosen to be discarded even though no errors had been detected to prevent their being deliverable to a higher-layer protocol. One possible reason for discarding such a packet could be to free up buffer space.

Although now that I’ve cut-n-pasted that definition above I don’t believe the ASIC reports dropped broadcast or multicast frames to the software, so the ifInDiscards will likely not reflect any dropped broadcast or multicast packets due to rate-limiting.

The feature is implemented in hardware in order to keep any broadcast/multicast from flooding the switch.

I am using your ADAC configuration with Aastra IP Phones. ADAC appears to be working but I am getting a Phone DHCP address from my data VLAN DHCP Scope not the Voice VLAN DHCP Scope. Any help would be appreciated? Thanks, Bill

Hi Michael, Large files transferred by FTP via ERS 3524GT were failed. Two ERS 3524GT have this issue. I have checked the show port-statistics, one of 4 links of MLT has high Dropped On No Resources ERS 3524GT-02 MLT(port 21-24) port 23 Dropped On No Resources 64390

ERS 3524GT-03 MLT(port 21-24) port 24 Dropped On No Resources 341301

I think this issue is due to buffer (buffer is full) I tried to change the buffer setting, but there are no such option on this device. Could you please suggest any other alternative to overcome from this issue?

What’s the topology of the network? Is everything running at 1Gbps? I’ve only seen this problem when you have a 1Gbps device that is trying to send data to a 100Mbps server, or when you have a 100Mbps IP phone in the middle of the TCP data stream.

Hi Michael, I know this is an old thread, but it’s a frequent result on Google. I have two questions about rate-limit . 1. Is there a rule-of-thumb conversion between the “percent” value you give (10%) for the 5520 and a “packets per second” value that my 3524GT switch uses? Percent makes more sense to me, but firmware 5.3.2 for the 3524 says the value is PPS, not percent.

2. If the rate-limiting kicks in, do the discarded packets show up in the port statistics anywhere?

Thanks, your site has saved my bacon many times over the past 4 years, even when it’s older posts like this.

It is an old thread but it’s usually one of the top 10 URLs in terms of traffic to this blog.

Yes, the % was in relationship to the port speed, so 10% of a 10Mbps port would be 1Mbps of traffic, 10% of a 1000Mbps port was 100Mbps, etc. The rate limiting was done in the Broadcom ASIC and that’s how the chipset worked.

In later ASICs the chipset worked on PPS, which as you point out is not so clear a value to us everyday humans. I’ll refer to this post I made the forums sometime ago;

I would suggest you start at 2500 PPS and see what you get, I’ve gone as high as 5000 PPS in the past. The issue is specific to each network depending on how much broadcast noise there is on the network. We don’t want to ‘break’ the network by dropping these needed broadcasts but we want to prevent a flood of broadcasts from overloading the network so some trial and error is required.

In the past there was no feedback into the UI since the rate-limiting was being implemented into the Broadcom ASIC. That might have changed in the past few years but not to my knowledge.

hoping you’ll have a suggestion here. performed a firmware/software upgrade on 2 standalone 5520’s .

messed up the first one that i did (second was done perfectly!)- got interrupted and also think i did the v6 diag and restarted before the v6 software was in. it now boots up with all 48 speed LED’s steady on (+ UI white, pwr green, all others off). I assume i’ve either corrupted the firmware or loaded incompatible firmware/software and effectively bricked the first unit.

the network not working (getting no link on any ports), no response using hyperterminal on the console port, no diff between power reset or UI switch reset (holding for 8 sec does reboot it which gives me some hope)

any idea if these switches have a recovery mode that i can trigger in order to get in and download the firmware & software? havent been able to find anything in the manuals or online (and the led set up also not described there)

I’ve never run into that problem myself… have you tried to interrupt the boot cycle with a break or cntrl-c during the initial boot up? That would be our only option and if that doesn’t work you probably need to scrap the switch.

Hi Michael, very informative blog. I’ve just acquired one of these switches off eBay and am using it in a home lab. I mainly use Cisco stuff but thought it would be good to expand my knowledge to other brands. One question I have is what are the commands to view and manipulate the files in flash? Cisco uses the dir command set but I cannot find an equivalent on my 5520-48T-PWR. I have access to the latest diag and images and want to make sure I will be using the correct one to do an upgrade.

One file I have is named 5xxx_60006_diags.bin and the other is 55x0_60006_diags.bin. I’m not too sure which is the correct one for this switch.

Extreme/Avaya/Nortel doesn’t expose the filesystem to the users in this product so you can’t just manipulate the files. You should review the release notes before you try an upgrade. Depending on what code you are currently running you might need to upgrade to an interim release first.

If you are just looking for a simple Ethernet switch, I would leave it on the code it’s running.

Trackbacks

[…] 1/47 and 1/48 on the edge switch. The edge switch should be setup as an MLT. You can refer to this post for additional details regarding how to configure the edge switch.Here’s a diagram of our […]